Every year around this time we see the same experts dole out the same identity theft prevention tips. And yet, identity theft keeps getting worse. Maybe it’s because we have to take a step back, and start by exposing some of the myths that can lead to consumer apathy about identity theft. If we help consumers to better understand the reality of identity theft, they might better appreciate these tips and apply them more often.

So here goes:

Myth#1

“IDENTITY THEFT IS MORE HYPE THAN REAL”

Truth

Identity theft may be the single greatest crime epidemic in the history of America. According to research firm Javelin Strategy and Research, identity theft claimed an average of more than a million victims a month in 2012. The Department of Justice recently put the total number of victims at more than 16 million last year.

That means there were more victims of identity theft last year that there were burglaries, attempted burglaries, assaults, robberies, arsons, vehicles thefts, purse snatchings, pick pocketings, check fraud, and shoplifting combined.

Myth #2

“IDENTITY THEFT VICTIMS ARE NOT REALLY VICTIMS BECAUSE THEY GET THEIR MONEY BACK, SO IT’S NO BIG DEAL”

Truth

The biggest cost for victims of identity theft is the long term emotional harm. If a thief has your Social Security Number, or a grudge, as a victim you can be fighting for your identity for years. Victims often talk about the emotional harm being the worst – the worry, the harm to their credit, their lack of trust, their feelings of betrayal, wondering when the next shoe will drop, if it will impact their credit worthiness, their job, etc.

Myth #3

“ZERO LIABILITY MEANS I HAVE NOTHING TO LOSE EVEN IF I AM A VICTIM”

Truth

If you lose a small amount, say a few hundred dollars, your bank, credit union, or credit card company is likely to reimburse you. But if it’s more than that, or you can’t explain how the money was removed from your bank account, banks will often either deny your claim outright or tell you they will need to launch an investigation – which can take months.

And you may be in even bigger trouble if your debit card is copied through skimming. The thieves will have your card and pin, without your knowledge, and banks will often us that as an excuse to blame you, the victim.

Myth #4

“I FROZE MY CREDIT SO MY IDENTITY IS SAFE.”

Truth

A freeze is helpful but only protects against new account creation. It doesn’t stop a thief misusing an existing account or credit card, prevent skimming, emptying a bank account, check fraud, using your identity to file fraudulent tax refunds, Social Security fraud, employment fraud and many other types of identity theft. And in a troubling trend, identity thieves are turning to payday lenders as a way to get around freezes, fraud alerts, and monitoring, because payday lenders often don’t run credit checks.

Myth #5

“I SHOULD BE MORE WORRIED ABOUT MORE COMMON CRIMES LIKE BURGLARY, PURSE SNATCHINGS AND PICK POCKETS”

Truth

You are 6 more times more likely to be a victim of identity theft than burglary, and 500 times more likely to be a victim of identity theft than purse snatching.

Myth#6

“I CAN JUST GET A POLICE REPORT TO PROVE I’M A VICTIM.”

Truth

A police report is vital if you need to defend yourself against claims from debt collectors or victimized businesses. But they’re not always easy to get, in spite of the fact the victims are entitled by Federal law to a police report.

Common excuses victims receive when they try to file a police report are “You need to file the report in the jurisdiction where the crime was committed” and “You’ll need hard evidence before a police report can be filed.” Neither are true but you may still have to be patient when trying to get a police report.

Myth #7

“I TEND TO SHOP ON SMALL BUSINESS WEBSITES BECAUSE THEY’RE TOO SMALL FOR HACKERS.”

Truth

Most security experts believe that small businesses are now the number one target for hackers, mainly because of lax security. Web security firm SiteLock reports finding up to 5,000 new small business websites every single day that have already been comprised with malware waiting to infect visitors and shoppers.

Myth #8

“I USUALLY USE A DEBIT CARD BECAUSE IT’S MUCH SAFER.”

Truth

A credit card is a much safer bet that a debit card. A debit card connects directly to your bank account. If it’s compromised, the thief is stealing your money. If your credit card is compromised, the thief is stealing the bank’s money. Which would you prefer?

Myth #9

I HAVE GOOD ANTIVIRUS SOFTWARE THAT’S ALWAYS UPDATED, SO I DON’T HAVE TO WORRY ABOUT CYBER THREATS.”

Truth

Antivirus software is very important but it’s only one layer of protection. A study by the University of Alabama found that most of the popular antivirus programs in use today only catch about 25% of malware. A test in December 2013 by security firm OPSWAT found that out of 44 of the most popular antivirus products on the market, only one could detect a keylogger.

Myth #10

“I GUARD MY PERSONAL DATA BETTER THAN FORT KNOX “

Truth

It’s not you, it’s them. No matter how well you guard your personal information, others will betray you. For example, there has been an average of one reported data breach in the U.S. every single day for the last five years, exposing more than 500 million personal records. Up to 80% of those records may have included Social Security Numbers. Could yours have been one of them?

As security experts and the media dissected the recently-uncovered stash of more than 2 million hacked passwords on a hacker’s server in the Netherlands, from users of Facebook, Google, LinkedIn and Twitter, did the real story slip by?

One thing was certainly clear from examining the stolen passwords – how many people are still using awful, and awfully weak passwords. Researchers from security firm Trustwave discovered the kidnapped passwords on a hacker server in the Netherlands, and a study of the stash revealed what we already know about passwords; that many users think weak predictable passwords are perfectly OK. Some of the most common passwords discovered in the server and apparently favored by many users included 123456, 11111, and, worst of all, password. Yes, the word password for a password. Maybe we’re not explaining the whole concept of passwords properly.

But the other lesson that came from the discovery is how effective a little known tool called a keylogger can be in fleecing passwords and other information from millions of computers. The initial suspect in this case was a keylogger, a small piece of malware that once installed on a computer will capture whatever the user types. And maybe even more. And there’s a good chance that your antivirus software won’t catch it.

In the same week the 2 million hacked passwords story broke, security firm OPSWAT released the results of somevery interesting tests. When they tested 44 of the most popular antivirus products to see if they could detect a keylogger, only one was successful. A study by the University of Alabama found that those same products only catch around 25% of email-borne malware. And tests by Imperva put the success rate of AV products at detecting new malware at just 5%.

Keyloggers are typically after logins and passwords, often to commit identity theft and fraud or take over bank accounts. But they don’t just log what you type. They can also capture screenshots of what’s on your computer, screenshots of the websites you visit and the folders you open, and even what you search for. And software isn’t the only variety. There are also hardware keyloggers, designed to look like a plug or connector you’d expect to find at the back of a computer or even a cash register. One such keylogger was recently found plugged into a cash register at a Nordstrom store.

More advanced keyloggers can intercept data from wireless keyboards, and even collect and decipher the electromagnetic radiation or electrical signals given off by a keyboard. More than 25 years ago, a couple of former spooks showed me how they could capture a user’s ATM PIN, from a van parked across the street, simply be capturing and decoding the electromagnetic signals generated by every keystroke. They could even capture keystrokes from computers in nearby offices, but the technology wasn’t sophisticated enough to focus in on any specific computer. 25 years later, that’s probably not so difficult.

And using a touch screen won’t help you avoid keyloggers. It’s still a keyboard sending signals that can be intercepted, and good keyloggers will record your screen activity anyway. And if you use public computers, like at a library, you could be especially vulnerable. Library computers are a very popular watering hold for keyloggers for years. They generally have many different users, public access, poor security, and little supervision.

The damage is real and not theoretical. Javelin Strategy and Research esimates that nearly $5 billion was siphoned from U.S. bank accounts in 2012 by crooks using malware, and probably most involved some type of keylogger.

So what can you do defend against this menace?

·Use anti-keylogger software, like Key Scrambler (free) or Guarded ID ($29.99 for two). They won’t protect you against every type of keylogging but are a good defense against the more common software based. Some work by instantly encrypting or scrambling all your keystrokes so that they’re unusable to hackers.

·Use a safe surfing tool or plugin, like McAfee Site Advisor or Web of Trust (WoT). As users become more wary of malware hidden in email attachments, hackers are turning to websites instead. Known as watering holes, hackers will find vulnerable websites, load them with keylogging malware, and simply lie in wait for visitors to those sites. Security firm SiteLock says it’s finding more than 5,000 small business web sites every single day already compromised with malware. Safe surfing tools will help alert you of suspicious or dangerous websites before you click on them.

·Always have good antivirus software on every computer and device you use. Some of the best is free, including for your smartphone and tablet. And scan often – at least once a week is recommended.

·Change your passwords often and think about passphrases instead. Passphrases are explained below and are a much safer and easier alternative to passwords.

·Be careful what you download and install. Poor security habits and hygiene are a leading contributor to malware infections. Slow down, guard up, verify first, and only download if you’re really sure and you really need to.

·Be careful what you type and where. Might sound simple, but as any good spy will tell you, the best way to minimize your exposure to a telephone tap is to avoid saying anything important on a phone. Avoiding accessing your bank account from a public area, like a coffee shop, is a simple way to avoid the threat of a nearby sniffer.

Forget passwords – think passphrases

A passphrase is a short sentence that’s easy for you to remember – that describes something about you and your life, for example – but that a hacker would have a very hard time knowing or guessing.

For example, the phrase could be something like “I graduated from Notre Dame University on June 1st 2002.”Pick the first letter from every word in that phrase, making sure you include the upper and lower case, and keep all the numbers.

That would give you the following password: “IgfNDUoJ1st2002” That’s a massive 15 characters and includes upper and lower case letters and numbers. Change the “I” to the symbol “!” and now you’ve made it even harder to crack.

Unless the hacker knows you personally, it would be nearly impossible to guess or crack such a passphrase. Even if the hacker did know you, they would have little way of knowing the phrase you chose.

And if you have trouble remembering the phrase, you can still write it down and keep it somewhere in your home, because there’s very little risk a hacker would find it in your home and recognize the phrase as a password. You can use similar or themed phrases to protect other accounts, but instead refer to when you graduated high school instead of college, or when your kids graduated, and so on.

Have you any idea how much your identity is worth on the black market? And before you answer, remember that there’s a difference between wholesale and retail. Wholesale is the price hackers charge other crooks for stolen information, like credit card numbers, Social Security numbers, and bank account information. Retail is the value those crooks place the amount of money they can make from the stolen identities they buy.

A couple of weeks ago, Dell Secureworks put together a very compelling summary of exactly how much personal information goes for in the hacker world. Researchers at the company took a peek inside more than a dozen of the more active and professional underground hacker forums, a kind of data bazaar, where hackers buy and sell people just like you.

And it seems like there is so much stolen information in circulation and for sale, it’s driving the prices down. Way down. Which could mean that hackers have to steal and sell even more information just to make a living.

Here’s just a sampling of what Secureworks found:

A U.S. Visa, MasterCard, American Express, and Discover card will run between $4 and $8.

Data from the mag stripes on those cards fetches around $12. That stripe can include cardholder information, expiration data, and valuable security information.

Want to infect computers with data-stealing malware? That will cost you around $20 for 1,000 computers and $250 to infect 15,000 computers.

Need someone to develop a Trojan to plant on those infected computers? That can cost as little as $50.

Looking to hack into someone else’s website or steal their data? Hire a hacker to do the job for as little as $100.

And if you want a bank account that has anywhere between $75,000 and $150,000 on deposit, you can have all bank account details, including routing number and password, for less than $300.

According to Secureworks “Once scammers buy the malware-infected computers, they can do anything they want with the machines. They can harvest them for financial credentials, infect them with ransomware so as to extort money from their owners, or use them to form a spam botnet to send out malicious spam on behalf of other scammers.” Some spammers have made up to $2 million a year.

I’m currently working with a notorious identity thief who maintains that getting personal information is the easiest part, and that there’s so much stolen information in circulation identity thieves can pick and choose which identities to plunder.

I’ve been saying for years. Worry less about whether your information is out there, in the hands of crooks. It probably is, and only a matter of time before you’re the next one in line. Focus more on locking down your little corner of cyberspace. That’s a fight you have a better chance of winning.

]]>http://blog.identitytheftcouncil.org/?feed=rss2&p=4960Why Holiday Security Tips Might Be A Waste of Timehttp://blog.identitytheftcouncil.org/?p=491
http://blog.identitytheftcouncil.org/?p=491#commentsMon, 02 Dec 2013 23:25:45 +0000http://blog.identitytheftcouncil.org/?p=491Every year around this time, the only thing as certain as sales is the same worn out old list of holiday safety tips being trotted out by a whole gaggle of security experts, wannabe experts, and people peddling products. And while these tips are important, especially around this time, I wonder if they work anymore. Or even if they ever worked.

I think the answer is yes, but only to generate some exposure for their authors. I have to admit, I was part of that posse. I started offering holiday security tips back in 2000 when I was the Director of Education for ZoneAlarm (killer firewall!). More recently, it was an annual tradition for me to dust off and tune up my own set of holiday safety tips, beautifully packaged as “The 12 Thefts of Christmas and How You Can Grinch them!” They’re retired now so don’t even ask.

In spite of the same predictable collection of tips on how to avoid identity theft and other scams, I don’t see much movement in the consumer awareness needle. I still do plenty of town halls and community presentations, and get daily calls from victims, and I see little improvement in consumer commitment to self-defense.

Consumer awareness is at an all-time high – there are very few consumers who are not aware of identity theft. But the key ingredient in awareness – vigilance – doesn’t seem to have caught hold. Awareness means knowing there’s a risk and how to avoid it. Vigilance means remembering those rules at precisely the moment it matters – right before clicking on a link, before opening an attachment, before visiting a website, before taking an unprotected laptop home and so on.

A study from Transunion a couple of weeks ago highlighted just one of the problems. In spite of more than a decade of relentless consumer education and wall-to-wall media coverage, the Transunion study found that a third of adults in the U.S. have never checked their credit reports.

And if you look at all those tips that all those experts have been sharing for all those years, the net result seems to be that all those bad old habits are still there.

So what’s the problem? Where’s the disconnect and why is the message not getting through? The fundamental problem, and the reason why identity theft continues to climb every year, is that consumers just don’t care enough. There’s a very common assumption, mainly as a result of good marketing, that zero liability means as a victim you have absolutely nothing to lose. Zero liability has been interpreted to mean zero risk, zero loss, and zero responsibility.

And even if it sounds counter-intuitive, now might not be such a good time to be talking to consumers about identity theft. At least in their eyes :

They’re too busy with the holiday hassle to stop and think about identity theft.

This is supposed to be a time of good cheer, so don’t bring them down with bad thoughts.

Repetition has a dark side, as consumers just tune out the same tips they see everywhere every year.

]]>http://blog.identitytheftcouncil.org/?feed=rss2&p=4910Is college the cure for Facebook safety concerns?http://blog.identitytheftcouncil.org/?p=481
http://blog.identitytheftcouncil.org/?p=481#commentsTue, 30 Apr 2013 21:49:43 +0000http://blog.identitytheftcouncil.org/?p=481“All that is necessary for evil to triumph is for good men to do nothing.” Wise words that have served over the centuries and could still be invoked today in our attempts to figure out why so many parents still seem to be so apathetic when it comes to the safety of their own kids.

One question that I’ve probably been asked over the years by worried parents more than any other, is “How do I protect my kids on (or from) Facebook?” And top of the list of my recommendations to these parents has always been that they should start by creating their own Facebook page.

It’s simple advice and an easy fix. By going through the process of creating their own Facebook page, parents will get a much better understanding of how Facebook works, how their kids can be exposed, and how to use Facebook’s own security and safety options to limit the risks to their kids. And if they persuade, or force, their kids to be their friend, even better. At the very least it should help dilute some of the guilt parents feel when they allow their kids to roam Facebook world un-chaperoned.

So how many of these parents over the years have taken to heart at least that one piece of advice? As far as I’m aware, none. Case in point – I recently spoke to one friend I had given this advice to more than four years ago. She has a son and a daughter – the son had just created his own Facebook page and her daughter, although just twelve at the time, was pestering Mom to be allowed “to Facebook.”

When I asked her recently if she ever got around to creating her own Facebook page, she said she hadn’t. She was just too busy. And besides, her son was off to college now, was much more mature, and so the danger had passed. And he said he didn’t use Facebook much anymore because most of his friends were too busy to check in. If his friends were no longer on Facebook, there was no need for him to be there.

I guess that’s one way to deal with danger. Stand your ground, even plant your head firmly in it, cross your fingers, and hope the danger will pass you without noticing you. Like the Wildebeest in the center of the herd.

It reminded me of a similar experience more than a decade ago, when I led an innovate program called Think Security First, a unique experiment by an entire city to make cybersecurity awareness a top priority for the city for an entire year.

Identity theft, online predators, and child safety were major media headlines at the time, so we organized a town-hall meeting at a local school to introduce parents to a team of experts we had assembled to help teach parents and kids about these risks.

The event was heavily promoted and backed by the city council, Chamber of Commerce, school district and many others. It was promoted to dozens of local schools that in turn invited more than 10,000 parents. We picked a location, date, and time that local school principals advised us would make it easiest for the most parents to attend.

We also picked a school that was central to everyone, had plenty of free parking, and had a fantastic auditorium that could seat 400. We hoped that four hundred seats would be enough, especially because the FBI had sent one of their top experts from the Innocent Images task force who had some startling and eye-opening research to share with parents.

We also had the support of the Mayor and the Police Chief, who were there to remind parents just how seriously the city viewed the issue of child safety, and how it was up to all of us to work together to protect each other.

In total, about twenty people showed up. Out of nearly 10,000 invited. And at least half of those were our own volunteers and supporters.

It’s just a reminder that the biggest ally for cybercriminals is the apathy and indifference of their targets, and that cybercrime and identity theft continue to surge because so many consumers won’t get involved in their own protection. Even if it’s very simple and uncomplicated. And it’s also a reminder that things will probably never change – they certainly haven’t in the last ten years.

Or maybe parents were right and experts like me were over-thinking the dangers. After so many years on Facebook, many kids just outgrew it. There’s growing evidence that kids are abandoning Facebook in their millions so at the very least that reduces the number of potential victims, right? And maybe the best way to dodge the dangers is to simply hide in the middle of the herd and hope that by blending in, you won’t be singled out.

Maybe after thirty years in security I should think about changing my focus. Instead of researching the cure for insecurity, I should pursue the cure for apathy. Even if I know there probably isn’t one. The triumph of evil quote was originally pinned on Plato, more than 2,000 years ago. So I guess human nature is constant enough to be its own worst enemy.

]]>http://blog.identitytheftcouncil.org/?feed=rss2&p=4810Hackers continue their assault on America’s small businesseshttp://blog.identitytheftcouncil.org/?p=471
http://blog.identitytheftcouncil.org/?p=471#commentsThu, 18 Apr 2013 16:30:43 +0000http://blog.identitytheftcouncil.org/?p=471The recently published 2012 Internet Security Threat Report from Symantec offers a deep and sometimes chilling insight into the world of cybercrime, the crooks, and the victims.

The report is pretty comprehensive but one of the first snippets to jump out at me was Symantec’s discovery that the largest growth area for targeted attacks in 2012 was the small business. Businesses with fewer than 250 employees accounted for nearly a third of all attacks detected by Symantec. And that was double the previous year.

Yet another clear sign that the small business is clearly a hot target for hackers. According to Symantec, “small businesses believe they are immune to attacks targeted at them. However, money stolen from a small business is as easy to spend as money stolen from a large business. And while small businesses may assume that they have nothing a targeted attacker would want to steal, they forget that they retain customer information, create intellectual property, and keep money in the bank.”

Small business owners have argued for years that they can simply hide in the crowd because there are simply so many of them (27 million in the U.S. alone), and hackers will never find them. They forget though, that hackers are using sophisticated automated tools to prod and probe millions of small businesses, and jump on the ones, the many, they find vulnerable.

Those vulnerabilities can lead to data and identity theft, the distribution of malware and ransomware, the launch of crippling Denial of Service attacks, and even the blacklisting of the business web site by search engines.

Symantec also made another argument that could point to the selfishness of some business owners when it comes to security. And that even if you won’t do it for yourself, do it for others. “The lack of adequate security practices by small businesses threatens all of us,” says Symantec. “Attackers deterred by a large company’s defenses often choose to breach the lesser defenses of a small business that has a business relationship with the attacker’s ultimate target, using the smaller company to leap frog into the larger one.”

In the coming weeks I’ll be highlight even more research that reveals the stunning number of small business web sites that are identified with major security vulnerabilities each month, and evidence that hackers are actively hijacking these sites.

]]>http://blog.identitytheftcouncil.org/?feed=rss2&p=4710Victimized for life by a Walgreens data breachhttp://blog.identitytheftcouncil.org/?p=466
http://blog.identitytheftcouncil.org/?p=466#commentsWed, 03 Apr 2013 17:41:12 +0000http://blog.identitytheftcouncil.org/?p=466Yesterday I received a call from a victim of identity theft who had been informed through one of those now-common data breach notification letters that thieves had obtained her personal information and she could be a victim of identity theft.

The letter came from a Southern California healthcare company called Crescent Healthcare, owned by pharmacy giant Walgreens. According to the letter, the stolen information could include her Social Security Number, along with her name and address, phone numbers, and her date of birth. And as if that wasn’t enough the worry about, the thieves may have also stolen her medical records and health insurance information.

Although she was now panicked at the thought of how much damage this information could do to her credit and her life, she got little comfort from the letter. No further information, no web site to answer questions, no hotline number for victims, and no offer of any identity protection or credit monitoring.

She was, however, given the phone number of one of the credit bureaus who would gladly freeze her credit for a fee of $10 – for each credit bureau. That’s hardly a robust response to a data breach, given that any consumer in the country can freeze their credit reports for a fee.

According to the victim, the credit bureau did offer to waive the fee if she could produce a police report to verify she was indeed a victim – again, a right every consumer has. The problem with that request is two-fold; as she doesn’t yet know if she’s a victim of identity theft and not just a data breach, her police department refuses to take a report. As far as they’re concerned, she has yet to be the victim of a crime.

Even if she could get a police report, it would probably take a couple of weeks. Then she’d have to mail the report, along with a bunch of other information, to each credit bureau to request the free freeze. By the time the freeze is in place, weeks or even months could have elapsed, giving thieves plenty of time to wreak havoc on her identity and her life.

I tried to learn more about the breach from Crescent, but not surprisingly, they were trying hard to pretend like it never happened. There was no mention of the breach anywhere on their web site, no information for victims, no-one to contact for more information.

When I checked the Walgreens site, I got the same result. Nothing. Complete radio silence. But I wasn’t surprised. There are plenty of CEOs out there who are completely, and probably genetically, unable to do the right thing. They hope that by shifting very quickly into denial mode and ducking behind their executive desks, they can escape the wrath of a data breach.

And they’re probably right. Victims can do little to hold these indifferent executives responsible. And with an average of one new reported data beach every single day in the U.S., there’s little the media can do to publicly shame these companies.

What these heartless executives don’t realize is the enormous long-term emotional impact that data breaches can have on victims, even if the carelessness of the breached business never actually leads to identity theft. Victims of identity theft liken it to severe stalking. You know that someone out there has enough information on you to make life very difficult, but you just don’t know when the manure is going to hit the air conditioning system.

At the end of our conversation the victim asked me directly “If they have all this information, including my Social Security Number, will I have to look over my shoulder for the rest of my life?” I had no good answer for her.

Shame on Walgreens for victimizing their customers, twice in a row. I hear there are rumblings of a class action lawsuit but I doubt this will be of much consolation to the victims, as these lawsuits rarely fix the long term fallout.

]]>http://blog.identitytheftcouncil.org/?feed=rss2&p=4660A Ghost of an Identityhttp://blog.identitytheftcouncil.org/?p=464
http://blog.identitytheftcouncil.org/?p=464#commentsTue, 02 Apr 2013 20:41:41 +0000http://blog.identitytheftcouncil.org/?p=464Ever wondered if you have a ghost identity? Not necessarily a doppelganger or a fetch (you’d have to be Irish to get that) but a real person living secretly and mysteriously under your identity? It’s more common than you might think, and it’s often because of something in your credit report called a sub-file.

Take the case of Marco (not his real name). He’s an artist, in his late sixties, and leaving a very peaceful life in Northern Arizona. Peaceful, that is, until he gets yet another alert from his identity monitoring service that someone else is using his Social Security number.

Thinking immediately that he had become yet another victim of identity theft, he went straight to his credit reports to see how bad the damage was. But there was no damage. The problem for Marco is that there’s no sign of any fraud or identity theft in his credit report, no fraudulent accounts opened, no damage to his credit score, and no debt collectors looking for money from him.

Marco is the victim of a sub-file, an almost secretive additional credit file that the credit bureaus keep on millions of consumers. Credit bureaus are really like intelligence agencies, and some boast that they have more personal information gathered on U.S. citizens that all the U.S. national intelligence agencies combined.

The bureaus are hounds for information, and any time a Social Security number is used in the wild, it usually ends up in the files of the bureaus. Even if it’s the wrong name associated with the SSN, even if no credit is applied for, and even if no fraud has been committed.

That information can simply come from a mistake, an incorrect filing, a typo, or some other innocent event. But as soon as the bureaus come across the information, and can’t figure it out, it usually ends up in a consumer’s sub-file where it lives forever.

And that’s why Marco continues to get these alerts. Some other person or persons are associated with his Social Security number, which keeps triggering the alerts. The bureaus won’t do anything about it because they either don’t know or don’t care who the real owner of the Social Security number is.

As the bureaus are very quick to point out, they don’t grant credit and can’t be blamed for people who give credit to the wrong identity. Bureaus simply gather personal information, package it, and sell it. Even if there’s a ghost or two in the machine.

As a story on NBC reported, often the ghost identity is as a result of identity theft. Illegal workers might purchase or even invent a Social Security Number in order to get a job, and if the new employer doesn’t verify the person’s identity, that new hybrid identity is now in the system. But it’s not in the credit report of the person that Social Security Number really belongs to because his or her name doesn’t match.

And in the NBC story, that same SSN can then be shared among and between other illegal workers so that eventually dozens of people are all working under the victim’s Social Security number. Yet no trace of it in credit reports, Social Security earnings, or anywhere else. Except that is, in a sub-file somewhere in the deep dark basement of a credit bureaus.

]]>http://blog.identitytheftcouncil.org/?feed=rss2&p=4640Capital One faces massive fine for duping its customers into paying for worthless credit monitoringhttp://blog.identitytheftcouncil.org/?p=451
http://blog.identitytheftcouncil.org/?p=451#commentsThu, 19 Jul 2012 03:34:08 +0000http://blog.identitytheftcouncil.org/?p=451In another blow to the dishonest peddling of questionable credit monitoring and identity protection services, today the Consumer Financial Protection Bureau (CFPB) announced a massive fine of $210 million against Capital One, for allegedly tricking consumers into paying for things like credit monitoring services without their consent.

$150 million will go to reimburse an estimated 2 million consumers who were affected by this scam, with the remaining going into a Civil Penalty Fund to help future victims.

It looks like the CFPB is not done either, and may have many other financial services companies in its sights, companies that engaged in practices to trick customers into subscribing for worthless services.

In an interview with Reuters, Ed Mierzwinski, consumer program director of advocacy group U.S. PIRG, said “Consumers should know that credit protection and monitoring are the worst add-on products you can buy.” According to Reuters, Travis Plunkett, legislative director of the Consumer Federation of America, is no kinder, referring to these services as “junk products.

Capital One seemed to be blaming its vendors and identity protection partners. According to an investigation by the Wall Street Journal, the settlement ordered that 500,000 customers who were signed up for identity protection through Affinion, makers of the PrivacyGuard monitoring service, and Intersections, makers of the IdentityGuard product, also be reimbursed

It never cease to amaze me that an industry that is supposed be based on absolute trust – inviting consumers to trust their identities to these vendors – deliberately and without apology breach that trust as part of their business model.

]]>http://blog.identitytheftcouncil.org/?feed=rss2&p=4510The Identity Theft Council Support the U.S. Anti-Bot Code of Conduct for ISPshttp://blog.identitytheftcouncil.org/?p=447
http://blog.identitytheftcouncil.org/?p=447#commentsFri, 06 Apr 2012 18:22:06 +0000http://blog.identitytheftcouncil.org/?p=447More than one in ten U.S. computers are infected by difficult-to-detect “bots” or “zombies,” which “botmasters” can use for anything from sending spam, to eavesdropping on network traffic, to stealing user passwords.

The Online Trust Alliance (OTA) joined a unanimous vote at the Federal Communications Commission’s (FCC) Communications Security, Reliability and Interoperability Council (CSRIC) meeting today, approving the voluntary U.S. Anti-Bot Code of Conduct for Internet Service Providers (ISPs), also known as the ABCs for ISPs. As a member of the CSRIC appointed by FCC Chairman Julius Genachowski, the OTA has been working with the FCC and leading ISPs to develop this voluntary Code. Under the Chairman’s leadership, this example of private and public sector collaboration is an important step forward to help protect our nation’s critical infrastructure and consumer data.

“Today is an example of the importance of self-regulatory efforts to help improve the safety and performance of the internet,” said Craig Spiezle, executive director and president, Online Trust Alliance. “Sustainable solutions to contain bots must include all stakeholders in efforts to detect, prevent, and remediate these threats.”

The development of the ABCs for ISPs was a multi-stakeholder effort over the past 12 months, with the participation of ISPs, trade associations and companies, including OTA members PayPal, Microsoft, Symantec, and Internet Identity, and leading ISPs, including ATT, Comcast and CenturyLink. Focusing on residential users, the Code includes five areas of focus for ISPs: education, detection, notification, remediation, and collaboration.

Based on OTA analysis and initial ISP self-reporting, approximately 51 percent (or 41.2 million) of the 81 million U.S. households who have broadband service are realizing added protection from ISPs who have adopted the Anti-Bot Code of Conduct. The CSRIC report cites research that ISPs also benefited – from reduced upstream traffic, spam, and helpdesk calls – when they took a proactive approach to bot remediation.

OTA as an independent organization committed to enhancing online trust and confidence, encourages ISPs to self-report to OTA. Future reports will include the adoption of similar efforts by other stakeholders and industry segments. More information including the Code and summary of ecosystem support.

“The ABCs for ISPs is a significant step forward and we applaud those ISPs who have already stepped up to the plate,” said Neal O’Farrell, executive director, Identity Theft Council. “We have a shared responsibility to help protect consumers from abuse and identity theft. Consumers should encourage their ISPs and telecommunications carriers to adopt these and other best practices.”

Summary of Public Support

Voluntary Code of Conduct Participation Requirements – To participate in this Code, an ISP is required to engage in at least one activity (i.e., take meaningful action) in each of the following general areas:

Education – an activity intended to help increase end-user education and awareness of botnet issues and how to help prevent bot infections;

Detection – an activity intended to identify botnet activity in the ISP’s network, obtain information on botnet activity in the ISP’s network, or enable end-users to self-determine potential bot infections on their end-user devices;

Notification – an activity intended to notify customers of suspected bot infections or enable customers to determine if they may be infected by a bot;

Remediation – an activity intended to provide information to end-users about how they can remediate bot infections, or to assist end-users in remediating bot infections;

Collaboration – an activity to share with other ISPs feedback and experience learned from the participating ISP’s Code activities.

About The Online Trust Alliance (OTA) https://otalliance.org

OTA’s mission is to develop and advocate best practices, public policy and self-regulation to mitigate emerging privacy, identity and security threats to online services, brands, government, organizations and consumers. By enhancing online trust and confidence, we can realize the potential of the internet, promote innovation and the vitality of commerce.